Spring security Spring安全性（Java配置）：对同一URL使用antmatchers和不同的HTTP方法_Spring Security

Spring security Spring安全性（Java配置）：对同一URL使用antmatchers和不同的HTTP方法

spring-security

Spring security Spring安全性（Java配置）：对同一URL使用antmatchers和不同的HTTP方法,spring-security,Spring Security,我试图限制一个角色对URL的访问权限，而另一个角色对同一URL的POST访问权限，如下所示 @Configuration @EnableWebSecurity public class WebSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception {

我试图限制一个角色对URL的访问权限，而另一个角色对同一URL的POST访问权限，如下所示

@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.inMemoryAuthentication()
            .withUser("user").password("password").roles("USER").and()
            .withUser("readuser").password("password").roles("USER", "READ").and()
            .withUser("admin").password("password").roles("USER", "READ", "WRITE");
    }

    protected void configure(HttpSecurity http) throws Exception {
        http
            .formLogin().permitAll().and()
            .logout().permitAll().and()
            .authorizeRequests()
                .antMatchers(HttpMethod.GET, "/api/foo").hasRole("READ")
                .antMatchers(HttpMethod.POST, "/api/foo").hasRole("WRITE")
                .anyRequest().authenticated()
                .and().csrf().disable()
            .httpBasic();

当我尝试使用我的readuser帐户获取（或发布）时，我得到一个拒绝访问错误；但当我尝试使用管理员帐户时，两者都可以

但是，当我删除行

.antMatchers（HttpMethod.POST，“/api/foo”）.hasRole（“WRITE”）

时，我的readuser帐户可以通过GET请求正确地点击/api/foo

如何使Spring安全性同时允许这两种限制

更新-包括相关的spring安全调试日志信息

以下是尝试使用readuser时的相关日志：

************************************************************

Request received for GET '/api/foo?id=foo':

Request(GET //localhost:8089/api/foo?id=foo)@b4603eb

servletPath:/api/foo
pathInfo:null
headers:
Authorization: Basic cnVudXNlcjpwYXNzd29yZA==
Cookie: JSESSIONID=node0fe3b0i44a5sbpohi6jq6dkkw0.node0
Cache-Control: no-cache
Accept: */*
User-Agent: PostmanRuntime/3.0.11-hotfix.2
Connection: keep-alive
Postman-Token: 99a23213-6cf8-4686-9886-7f9c2de13c6f
Host: localhost:8089
Accept-Encoding: gzip, deflate


Security filter chain: [
  WebAsyncManagerIntegrationFilter
  SecurityContextPersistenceFilter
  HeaderWriterFilter
  LogoutFilter
  UsernamePasswordAuthenticationFilter
  DefaultLoginPageGeneratingFilter
  BasicAuthenticationFilter
  RequestCacheAwareFilter
  SecurityContextHolderAwareRequestFilter
  AnonymousAuthenticationFilter
  SessionManagementFilter
  ExceptionTranslationFilter
  FilterSecurityInterceptor
]


************************************************************
.
.
.
2017-05-08 11:31:27.817 DEBUG 5812 --- [p1731685294-106] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/api/foo'; against 'GET'
2017-05-08 11:31:27.817 DEBUG 5812 --- [p1731685294-106] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/api/foo'; against '/api/foo'
2017-05-08 11:31:27.817 DEBUG 5812 --- [p1731685294-106] o.s.s.w.a.i.FilterSecurityInterceptor    : Secure object: FilterInvocation: URL: /api/foo?id=foo; Attributes: [hasRole('ROLE_WRITE')]
2017-05-08 11:31:27.818 DEBUG 5812 --- [p1731685294-106] o.s.s.w.a.i.FilterSecurityInterceptor    : Previously Authenticated: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@a38eb23d: Principal: org.springframework.security.core.userdetails.User@5c7268d6: Username: readuser; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_READ,ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_READ, ROLE_USER
2017-05-08 11:31:27.818 DEBUG 5812 --- [p1731685294-106] o.s.s.access.vote.AffirmativeBased       : Voter: org.springframework.security.web.access.expression.WebExpressionVoter@7b20c046, returned: -1
2017-05-08 11:31:27.819 DEBUG 5812 --- [p1731685294-106] o.s.s.w.a.ExceptionTranslationFilter     : Access is denied (user is not anonymous); delegating to AccessDeniedHandler

org.springframework.security.access.AccessDeniedException: Access is denied
.
.
.
2017-05-08 11:31:27.823 DEBUG 5812 --- [p1731685294-106] s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed

您使用了错误的

HttpMethod

类

返回一个

字符串

，因此在Spring安全配置中使用而不是

通过该配置，Spring安全性检查URL模式

GET

和

/api/foo

（这两种模式都适用于所有HTTP方法），请参阅您的日志：

您必须使用，它返回一个

HttpMethod

对象。

我刚刚用这个配置模拟了一个spring boot应用程序，似乎对我来说工作正常。我可以使用readuser点击

GET

，但如预期的那样，对

POST

的访问被拒绝。有了管理员，我两个都能打。控制器可能有问题？

2017-05-08 11:31:27.817 DEBUG 5812 --- [p1731685294-106] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/api/foo'; against 'GET' 
2017-05-08 11:31:27.817 DEBUG 5812 --- [p1731685294-106] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/api/foo'; against '/api/foo'